WPScan Licensing

When you first release software online you don’t put too much thought into the software license (I didn’t at least). You have no idea if the project will take off. If your intention is for your peers to use it freely your first thought may be Open Source. The most popular Open Source license is the GNU GPL, so why not use that!?

I released WPScan on the 16th of June 2011 along with the GNU GPL license. After a while I built up a team, The WPScan Team, which were people who had the same goals as me, to make an awesome black box WordPress scanning tool. The WPScan Team (3 other awesome people) and I have been working on WPScan in our spare time as volunteers for almost 4 years. Countless hours, days, weeks and months of man hours have been put into WPScan and recently the WPScan Vulnerability Database by us.

And we don’t mind this, we do it because we want our peers to be able to use the software freely. We do it because we want to use the software ourselves. Of course there is no selfless deed, we do it for the technical challenges we face, the buzz of working in a team of like minded people and the appreciation of our peers.

As the project began to grow the workload also grew. It’s Open Source right? Anyone can contribute. The truth is, not many people do. Or if they do, they don’t stick around for very long. We’re very grateful for the contributions we have had. Most users expect us to fix bugs, implement features, ensure we have the latest dependencies, are secure, etc. This is the responsibility of the software maintainers, open source or not. If you sit around and wait for other contributors to do it, it would not get done for a very very long time if at all.

Then comes the individuals and companies who want to make a quick buck out of our hard work. Companies who we have never heard of. Companies that have never contributed anything. Taking our project and selling it for a profit. There have probably been around 10-15 companies who have done this in the past, it seems to be an upward trend.

When I approach these companies I tell them they are in breach of our software license. Although the GNU GPL does not disallow commercial usage their code should also be GNU GPL’ed which is never the case. I offer them a non-GPL’ed paid version under a commercial license. They have all decided to not pay. Most have decided to stop using WPScan.

Chasing these companies takes time, sometimes a whole day of emails back and forth arguing the intricacies of the GNU GPL while they try and weasel their way out of complying to our license. This takes a lot of my time away from the important stuff, working on WPScan and the WPScan Vulnerability Database. Because of this I decided to add a clause to the license. If you want to sell WPScan you can pay for a commercial license, otherwise you can use it under the GNU GPL.

After a few months with this license it was pointed out to me that the GNU GPL does not allow these kind of clauses. (Correction: although several people told me this, it seems that it is not true, see here and here ) What some individuals and companies decided was a ‘loophole’. I argue that they should abide by either the commercialization clause or the GNU GPL in this situation. They decline.

This morning I noticed another company selling WPScan. Usually I don’t name these companies because I don’t want to give them any publicity. But today, I’m at my wits end with them. The company of today is called Delve Labs from Montreal, Canada. They are selling WPScan as a product called ‘Warden’. I have been speaking to a Gabriel Tremblay who works for them but I believe it is owned by Yves Lepage, he works in security at REDACTED. They have refused to pay for a commercial license or obied by the GNU GPL. The only way I could force them is by seeking legal advice. More cost and time which could be put into WPScan.

I have been working on a new WPScan license for the past few months, a non Open Source license which should hopefully put an end to these piranhas once and for all. I known, “non-open source” sounds scary right? But I intended for the new license to not affect users in any way. It should only make it absolutely clear that commercial usage is not allowed.